CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3024 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2021-3024
01 Feb 2021 — HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. HashiCorp Vault y Vault Enterprise revelaron la dirección IP interna del nodo de Vault al responder a algunas peticiones HTTP no válidas y no autenticadas. Corregido en las versiones 1.6.2 y 1.5.7 Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less... • https://discuss.hashicorp.com/t/hcsec-2021-02-vault-api-endpoint-exposed-internal-ip-address-without-authentication/20334 •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25594 – Gentoo Linux Security Advisory 202207-01
https://notcve.org/view.php?id=CVE-2020-25594
01 Feb 2021 — HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7. HashiCorp Vault y Vault Enterprise permitieron la enumeración de rutas de montaje de Secrets Engine por medio de peticiones HTTP no autenticadas. Corregido en las versiones 1.6.2 y 1.5.7 Multiple vulnerabilities have been discovered in HashiCorp Vault, the worst of which could result in denial of service. Versions less than 1.10.3 are affected. • https://discuss.hashicorp.com/t/hcsec-2021-03-vault-api-endpoint-allowed-enumeration-of-secrets-engine-mount-paths-without-authentication/20336 •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25816
https://notcve.org/view.php?id=CVE-2020-25816
30 Sep 2020 — HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed leases created with a batch token to outlive their TTL because expiration time was not scheduled correctly. Fixed in 1.4.7 and 1.5.4. Las versiones 1.0 y posteriores de HashiCorp Vault y Vault Enterprise permitían que los contratos de arrendamiento creados con un testigo de lote sobrevivieran a su TTL porque el tiempo de caducidad no estaba programado correctamente. Corregido en las versiones 1.4.7 y 1.5.4 • https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#154 •
CVSS: 8.2EPSS: 0%CPEs: 8EXPL: 1CVE-2020-16251 – vault: GCP Auth Method Allows Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-16251
26 Aug 2020 — HashiCorp Vault and Vault Enterprise versions 0.8.3 and newer, when configured with the GCP GCE auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1. HashiCorp Vault y Vault Enterprise versiones 0.8.3 y posteriores, cuando son configuradas con el método de autenticación GCP GCE, pueden ser vulnerables a una omisión de autenticación. Corregido en las versiones 1.2.5, 1.3.8, 1.4.4 y 1.5.1 A flaw was found in Vault and Vault Enterprise (“Vault”). In affected versions... • https://packetstorm.news/files/id/159479 • CWE-287: Improper Authentication •
CVSS: 8.2EPSS: 1%CPEs: 8EXPL: 1CVE-2020-16250 – vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-16250
26 Aug 2020 — HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. HashiCorp Vault y Vault Enterprise versiones 0.7.1 y posteriores, cuando son configuradas con el método de autenticación AWS IAM, pueden ser vulnerables a una omisión de autenticación. Corregido en 1.2.5, 1.3.8, 1.4.4 y 1.5.1.. A flaw was found in Vault and Vault Enterprise (“Vault”). • https://packetstorm.news/files/id/159478 • CWE-290: Authentication Bypass by Spoofing CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-12757
https://notcve.org/view.php?id=CVE-2020-12757
10 Jun 2020 — HashiCorp Vault and Vault Enterprise 1.4.0 and 1.4.1, when configured with the GCP Secrets Engine, may incorrectly generate GCP Credentials with the default time-to-live lease duration instead of the engine-configured setting. This may lead to generated GCP credentials being valid for longer than intended. Fixed in 1.4.2. HashiCorp Vault y Vault Enterprise versión 1.4.0 y versión 1.4.1, cuando se configuran con el Motor de Secretos GCP, pueden generar incorrectamente Credenciales GCP con la duración de alqu... • https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020 • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-13223
https://notcve.org/view.php?id=CVE-2020-13223
10 Jun 2020 — HashiCorp Vault and Vault Enterprise logged proxy environment variables that potentially included sensitive credentials. Fixed in 1.3.6 and 1.4.2. HashiCorp Vault y Vault Enterprise registraron variables de entorno proxy que incluían potencialmente credenciales sensibles. Fijado en las versiones 1.3.6 y 1.4.2 • https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#142-may-21st-2020 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10661
https://notcve.org/view.php?id=CVE-2020-10661
23 Mar 2020 — HashiCorp Vault and Vault Enterprise versions 0.11.0 through 1.3.3 may, under certain circumstances, have existing nested-path policies grant access to Namespaces created after-the-fact. Fixed in 1.3.4. HashiCorp Vault y Vault Enterprise versiones 0.11.0 hasta 1.3.3, pueden bajo determinadas circunstancias, presentar políticas de ruta anidadas existentes que otorguen acceso a unos Espacios de Nombres después de los datos creados. Corregido en versión 1.3.4. • https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020 •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10660
https://notcve.org/view.php?id=CVE-2020-10660
23 Mar 2020 — HashiCorp Vault and Vault Enterprise versions 0.9.0 through 1.3.3 may, under certain circumstances, have an Entity's Group membership inadvertently include Groups the Entity no longer has permissions to. Fixed in 1.3.4. HashiCorp Vault y Vault Enterprise versiones 0.9.0 hasta 1.3.3, pueden bajo determinadas circunstancias, presentar una membresía Entity's Group que inadvertidamente incluye Grupos a los que la Entidad ya no tiene permiso. Corregido en 1.3.4. • https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#134-march-19th-2020 • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7220
https://notcve.org/view.php?id=CVE-2020-7220
23 Jan 2020 — HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circumstances, to revoke dynamic secrets for a mount in a deleted namespace. Fixed in 1.3.2. HashiCorp Vault Enterprise versiones 0.11.0 hasta 1.3.1 presenta un fallo, en determinadas circunstancias, al revocar secretos dinámicos para un montaje en un espacio de nombres eliminado. Corregido en versión 1.3.2. • https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#132-january-22nd-2020 • CWE-404: Improper Resource Shutdown or Release •